For our GitHub CI we’d love to check PRs from contributors - i.e. from forks. I understand that’s currently not possible, due to security considerations.
I think I know how to do it without security issues, and even better, I think I know how you can check that people are doing it securely - and continue to prevent analysis in insecure contexts.
I will quickly describe how; once you tell me that this is a possible path forward I’m happy to implement a demo repo that allows us to make progress. But I don’t want to spend more time on SonarCloud if all I can see is dead ends
I’m talking about GitHub and C++ projects; I expect much of that can be applied elsewhere. The trick is to split the analysis (done in the target project context) from the build (done in the fork context). In our example I can CMake-configure the contribution and generate
compile_commands.json in a
pull_request trigger context - without any secrets. I would then store that
compile_commands.json file as artifact, and have an independent job triggered by the successful conclusion of the first job. This second job picks up the artifact and runs the analysis in the context of the target project - with secrets; it will thus be able to upload the results.
You can add an Action to the GitHub Actions marketplace (for extra visibility!) that checks for the
github.repository_owner to be the expected one, e.g. as defined in
sonar-project.properties. Or you have
sonar_scanner check the environment variable
GITHUB_REPOSITORY_OWNER. If you detect a fork context then you issue a (very helpful, actually…) error that analysis on forks isn’t supported, and link to the doc page that explains this approach here. Else you know that the secret doesn’t actually leave the organization and there’s no reason (I hope) to prevent the analysis from being processed.
Would this be an acceptable avenue for SonarSource?